ExamworthyExamworthy
Open the appStart free
CISM practice questionsFull study guide
Examworthyexamworthy.com

Certified Information Security Manager (CISM) cheat sheet

ISACA

Exam version 2026Reviewed 2026-05-31

Free to share. Examworthy is not affiliated with or endorsed by ISACA; CISM and related marks belong to their respective owners.

At a glance

150
Questions
240 min
Time allowed
450 / 800
Pass mark
$760
Cost (USD)

Format: Multiple choice, computer-based at PSI testing centres or remote proctored

Domain weight map

Heaviest first - spend your time here
Information Security Program33% · 98 Q
Incident Management30% · 90 Q
Information Security Risk Management20% · 59 Q
Information Security Governance17% · 51 Q

How this exam thinks

CISM rewards the answer a security manager would give: align with the business and manage risk, not the deepest technical fix.

Spot the trap

Tempting wrong answers, and why they fail

Tempting but wrong

A standard, which specifies the mandatory technical requirements a system must meet, is the document that gives the step-by-step instructions for a task.

Why it fails

Tempting because standards are detailed and mandatory, but a standard states what must be achieved rather than the ordered steps of how to perform the task. The sequential how belongs to a procedure.

Information Security Program

Tempting but wrong

The notification deadline to the regulator should run from the date technical containment of the affected systems is fully completed.

Why it fails

Containment is an important operational milestone, so tying the clock to it feels logical. But notification obligations are anchored to awareness of the breach, not to completing technical remediation, which may come much later.

Incident Management

Tempting but wrong

Express every risk in annual loss expectancy so the board gets the precise monetary ranking it expects.

Why it fails

Monetary figures look authoritative, which makes this tempting. But without occurrence and loss data the annual loss expectancy values rest on guessed inputs, producing false precision rather than a defensible ranking.

Information Security Risk Management

Tempting but wrong

If the funding freeze blocks the regulatory project, the right move is to defer it to the next cycle and formally document the compliance exposure as an accepted risk.

Why it fails

Tempting because it respects the freeze and uses formal risk acceptance, but accepting a known regulatory breach when reallocation is possible is poor stewardship, and the manager rarely has authority to accept that level of risk alone.

Information Security Governance

Tempting but wrong

The signed contract and the vendor's published certification report can serve as the primary operating controls for confidential data in a SaaS service.

Why it fails

Contracts and certification reports give point-in-time and contractual assurance and feel sufficient for a reputable vendor, but they are not operating controls. They do nothing to enforce or monitor access day to day, so they cannot be the primary integration.

Information Security Program

Tempting but wrong

Eradication should begin by restoring the affected server from the most recent pre-incident backup so operations can resume on a known-good build.

Why it fails

Restoring from backup is a fast route to availability, which makes it tempting. But it is a recovery activity, and doing it before the root cause is addressed risks reinstating the same unpatched vulnerability and any compromise captured in the backup.

Incident Management

Tempting but wrong

Asset value multiplied by exposure factor gives the annual loss expectancy to report.

Why it fails

That product is the single loss expectancy, not the annual loss expectancy. It ignores the annualised rate of occurrence (here two events per year), so it understates the expected yearly loss.

Information Security Risk Management

Tempting but wrong

ISO/IEC 27001 is the best fit because certification gives executives an externally verified statement of security posture.

Why it fails

Certification is attractive to executives, but the retailer explicitly does not want a certifiable audit regime, and ISO/IEC 27001 centres on a management system rather than the current-versus-target outcome profiling that was asked for.

Information Security Governance

Key terms

Resource managementSecurity staffingToolingCapacity planningAsset inventoryData classificationInformation assetData sensitivityISO/IEC 27002NIST SP 800-53CIS ControlsSecurity baselinesSecurity policyAcceptable use policyPolicy hierarchyStandards vs guidelines

Exam-day rules

  • Read the last line of the question first. It tells you what is actually being asked, so you can read the scenario looking for the answer rather than memorising every detail.
  • Answer as a manager, not an engineer. When a technical fix and a governance or process response both appear, the exam almost always wants the management answer.
  • Map every decision back to the business. The best option aligns with business objectives and the agreed risk appetite, not the most secure or most technical choice.
  • Treat MOST, BEST, PRIMARY and FIRST as signals. They mean several options are defensible and one fits best, so rank by the manager's lens rather than by which sounds most secure.
  • Respect the order in incident scenarios. Containment comes before eradication, and the business impact analysis precedes the recovery plan; picking a later step too early is a classic trap.

Revision schedule

  1. Day 1
    Map the blueprint and book a date
  2. Week 1
    Adopt the manager's mindset
  3. Weeks 2-4
    Lock governance and risk (Domains 1 and 2)
  4. Weeks 4-6
    Go deep on the programme and incidents (Domains 3 and 4)
  5. Week 7
    Practise on scenarios with worked explanations

Practise CISM free

Every question has a worked explanation and a per-distractor rationale. No sign-up.

471 audited flashcards in this deck.

Practise CISM free
Examworthy - Certified Information Security Manager (CISM) cheat sheet. Free to share.examworthy.com